655 lines
23 KiB
Python
655 lines
23 KiB
Python
# from copy import deepcopy
|
|
# from datetime import datetime, timedelta
|
|
|
|
from django.conf import settings
|
|
from elasticsearch import AsyncElasticsearch, Elasticsearch
|
|
from elasticsearch.exceptions import NotFoundError, RequestError
|
|
|
|
from core.db import StorageBackend, add_defaults
|
|
|
|
# from json import dumps
|
|
# pp = lambda x: print(dumps(x, indent=2))
|
|
from core.db.processing import parse_results
|
|
from core.lib.parsing import (
|
|
QueryError,
|
|
parse_date_time,
|
|
parse_index,
|
|
parse_rule,
|
|
parse_sentiment,
|
|
parse_size,
|
|
parse_sort,
|
|
parse_source,
|
|
)
|
|
|
|
# These are sometimes numeric, sometimes strings.
|
|
# If they are seen to be numeric first, ES will erroneously
|
|
# index them as "long" and then subsequently fail to index messages
|
|
# with strings in the field.
|
|
keyword_fields = ["nick_id", "user_id", "net_id"]
|
|
|
|
mapping = {
|
|
"mappings": {
|
|
"properties": {
|
|
"ts": {"type": "date", "format": "epoch_second"},
|
|
"match_ts": {"type": "date", "format": "iso8601"},
|
|
"file_tim": {"type": "date", "format": "epoch_millis"},
|
|
"rule_id": {"type": "keyword"},
|
|
}
|
|
}
|
|
}
|
|
for field in keyword_fields:
|
|
mapping["mappings"]["properties"][field] = {"type": "text"}
|
|
|
|
|
|
class ElasticsearchBackend(StorageBackend):
|
|
def __init__(self):
|
|
super().__init__("elasticsearch")
|
|
self.client = None
|
|
self.async_client = None
|
|
|
|
def initialise(self, **kwargs):
|
|
"""
|
|
Inititialise the Elasticsearch API endpoint.
|
|
"""
|
|
auth = (settings.ELASTICSEARCH_USERNAME, settings.ELASTICSEARCH_PASSWORD)
|
|
client = Elasticsearch(
|
|
settings.ELASTICSEARCH_URL, http_auth=auth, verify_certs=False
|
|
)
|
|
self.client = client
|
|
|
|
async def async_initialise(self, **kwargs):
|
|
"""
|
|
Inititialise the Elasticsearch API endpoint in async mode.
|
|
"""
|
|
global mapping
|
|
auth = (settings.ELASTICSEARCH_USERNAME, settings.ELASTICSEARCH_PASSWORD)
|
|
client = AsyncElasticsearch(
|
|
settings.ELASTICSEARCH_URL, http_auth=auth, verify_certs=False
|
|
)
|
|
self.async_client = client
|
|
|
|
# Create the rule storage indices
|
|
if await client.indices.exists(index=settings.INDEX_RULE_STORAGE):
|
|
await client.indices.put_mapping(
|
|
index=settings.INDEX_RULE_STORAGE,
|
|
properties=mapping["mappings"]["properties"],
|
|
)
|
|
else:
|
|
await client.indices.create(
|
|
index=settings.INDEX_RULE_STORAGE, mappings=mapping["mappings"]
|
|
)
|
|
|
|
def delete_rule_entries(self, rule_id):
|
|
"""
|
|
Delete all entries for a given rule.
|
|
:param rule_id: The rule ID to delete.
|
|
"""
|
|
if self.client is None:
|
|
self.initialise()
|
|
search_query = self.construct_query(None, None, blank=True)
|
|
search_query["query"]["bool"]["must"].append(
|
|
{"match_phrase": {"rule_id": rule_id}}
|
|
)
|
|
return self.client.delete_by_query(
|
|
index=settings.INDEX_RULE_STORAGE, body=search_query
|
|
)
|
|
|
|
def construct_context_query(
|
|
self, index, net, channel, src, num, size, type=None, nicks=None
|
|
):
|
|
# Get the initial query
|
|
query = self.construct_query(None, size, blank=True)
|
|
|
|
extra_must = []
|
|
extra_should = []
|
|
extra_should2 = []
|
|
if num:
|
|
extra_must.append({"match_phrase": {"num": num}})
|
|
if net:
|
|
extra_must.append({"match_phrase": {"net": net}})
|
|
if channel:
|
|
extra_must.append({"match": {"channel": channel}})
|
|
if nicks:
|
|
for nick in nicks:
|
|
extra_should2.append({"match": {"nick": nick}})
|
|
|
|
types = ["msg", "notice", "action", "kick", "topic", "mode"]
|
|
fields = [
|
|
"nick",
|
|
"ident",
|
|
"host",
|
|
"channel",
|
|
"ts",
|
|
"msg",
|
|
"type",
|
|
"net",
|
|
"src",
|
|
"tokens",
|
|
]
|
|
query["fields"] = fields
|
|
|
|
if index == "internal":
|
|
fields.append("mtype")
|
|
if channel == "*status" or type == "znc":
|
|
if {"match": {"channel": channel}} in extra_must:
|
|
extra_must.remove({"match": {"channel": channel}})
|
|
extra_should2 = []
|
|
# Type is one of msg or notice
|
|
# extra_should.append({"match": {"mtype": "msg"}})
|
|
# extra_should.append({"match": {"mtype": "notice"}})
|
|
extra_should.append({"match": {"type": "znc"}})
|
|
extra_should.append({"match": {"type": "self"}})
|
|
|
|
extra_should2.append({"match": {"type": "znc"}})
|
|
extra_should2.append({"match": {"nick": channel}})
|
|
elif type == "auth":
|
|
if {"match": {"channel": channel}} in extra_must:
|
|
extra_must.remove({"match": {"channel": channel}})
|
|
extra_should2 = []
|
|
extra_should2.append({"match": {"nick": channel}})
|
|
# extra_should2.append({"match": {"mtype": "msg"}})
|
|
# extra_should2.append({"match": {"mtype": "notice"}})
|
|
|
|
extra_should.append({"match": {"type": "query"}})
|
|
extra_should2.append({"match": {"type": "self"}})
|
|
extra_should.append({"match": {"nick": channel}})
|
|
else:
|
|
for ctype in types:
|
|
extra_should.append({"match": {"mtype": ctype}})
|
|
else:
|
|
for ctype in types:
|
|
extra_should.append({"match": {"type": ctype}})
|
|
# query = {
|
|
# "index": index,
|
|
# "limit": size,
|
|
# "query": {
|
|
# "bool": {
|
|
# "must": [
|
|
# # {"equals": {"src": src}},
|
|
# # {
|
|
# # "bool": {
|
|
# # "should": [*extra_should],
|
|
# # }
|
|
# # },
|
|
# # {
|
|
# # "bool": {
|
|
# # "should": [*extra_should2],
|
|
# # }
|
|
# # },
|
|
# *extra_must,
|
|
# ]
|
|
# }
|
|
# },
|
|
# "fields": fields,
|
|
# # "_source": False,
|
|
# }
|
|
if extra_must:
|
|
for x in extra_must:
|
|
query["query"]["bool"]["must"].append(x)
|
|
if extra_should:
|
|
query["query"]["bool"]["must"].append({"bool": {"should": [*extra_should]}})
|
|
if extra_should2:
|
|
query["query"]["bool"]["must"].append(
|
|
{"bool": {"should": [*extra_should2]}}
|
|
)
|
|
return query
|
|
|
|
def construct_query(self, query, size=None, blank=False, **kwargs):
|
|
"""
|
|
Accept some query parameters and construct an Elasticsearch query.
|
|
"""
|
|
query_base = {
|
|
# "size": size,
|
|
"query": {"bool": {"must": []}},
|
|
}
|
|
if size:
|
|
query_base["size"] = size
|
|
query_string = {
|
|
"query_string": {
|
|
"query": query,
|
|
# "fields": fields,
|
|
# "default_field": "msg",
|
|
# "type": "best_fields",
|
|
"fuzziness": "AUTO",
|
|
"fuzzy_transpositions": True,
|
|
"fuzzy_max_expansions": 50,
|
|
"fuzzy_prefix_length": 0,
|
|
# "minimum_should_match": 1,
|
|
"default_operator": "and",
|
|
"analyzer": "standard",
|
|
"lenient": True,
|
|
"boost": 1,
|
|
"allow_leading_wildcard": True,
|
|
# "enable_position_increments": False,
|
|
"phrase_slop": 3,
|
|
# "max_determinized_states": 10000,
|
|
"quote_field_suffix": "",
|
|
"quote_analyzer": "standard",
|
|
"analyze_wildcard": False,
|
|
"auto_generate_synonyms_phrase_query": True,
|
|
}
|
|
}
|
|
if not blank:
|
|
query_base["query"]["bool"]["must"].append(query_string)
|
|
return query_base
|
|
|
|
def parse(self, response, **kwargs):
|
|
parsed = parse_results(response, **kwargs)
|
|
return parsed
|
|
|
|
def run_query(self, user, search_query, **kwargs):
|
|
"""
|
|
Low level helper to run an ES query.
|
|
Accept a user to pass it to the filter, so we can
|
|
avoid filtering for superusers.
|
|
Accept fields and size, for the fields we want to match and the
|
|
number of results to return.
|
|
"""
|
|
if self.client is None:
|
|
self.initialise()
|
|
index = kwargs.get("index")
|
|
try:
|
|
response = self.client.search(body=search_query, index=index)
|
|
except RequestError as err:
|
|
print("Elasticsearch error", err)
|
|
return err
|
|
except NotFoundError as err:
|
|
print("Elasticsearch error", err)
|
|
return err
|
|
return response
|
|
|
|
async def async_run_query(self, user, search_query, **kwargs):
|
|
"""
|
|
Low level helper to run an ES query.
|
|
Accept a user to pass it to the filter, so we can
|
|
avoid filtering for superusers.
|
|
Accept fields and size, for the fields we want to match and the
|
|
number of results to return.
|
|
"""
|
|
if self.async_client is None:
|
|
await self.async_initialise()
|
|
index = kwargs.get("index")
|
|
try:
|
|
response = await self.async_client.search(body=search_query, index=index)
|
|
except RequestError as err:
|
|
print("Elasticsearch error", err)
|
|
return err
|
|
except NotFoundError as err:
|
|
print("Elasticsearch error", err)
|
|
return err
|
|
return response
|
|
|
|
async def async_store_matches(self, matches):
|
|
"""
|
|
Store a list of matches in Elasticsearch.
|
|
:param index: The index to store the matches in.
|
|
:param matches: A list of matches to store.
|
|
"""
|
|
if self.async_client is None:
|
|
await self.async_initialise()
|
|
for match in matches:
|
|
result = await self.async_client.index(
|
|
index=settings.INDEX_RULE_STORAGE, body=match
|
|
)
|
|
if not result["result"] == "created":
|
|
self.log.error(f"Indexing failed: {result}")
|
|
self.log.debug(f"Indexed {len(matches)} messages in ES")
|
|
|
|
def store_matches(self, matches):
|
|
"""
|
|
Store a list of matches in Elasticsearch.
|
|
:param index: The index to store the matches in.
|
|
:param matches: A list of matches to store.
|
|
"""
|
|
if self.client is None:
|
|
self.initialise()
|
|
for match in matches:
|
|
result = self.client.index(index=settings.INDEX_RULE_STORAGE, body=match)
|
|
if not result["result"] == "created":
|
|
self.log.error(f"Indexing failed: {result}")
|
|
self.log.debug(f"Indexed {len(matches)} messages in ES")
|
|
|
|
def prepare_schedule_query(self, rule_object):
|
|
"""
|
|
Helper to run a scheduled query with reduced functionality.
|
|
"""
|
|
data = rule_object.parsed
|
|
|
|
if "tags" in data:
|
|
tags = data["tags"]
|
|
else:
|
|
tags = []
|
|
|
|
if "query" in data:
|
|
query = data["query"][0]
|
|
data["query"] = query
|
|
|
|
add_bool = []
|
|
add_top = []
|
|
if "source" in data:
|
|
total_count = len(data["source"])
|
|
total_sources = len(settings.MAIN_SOURCES) + len(
|
|
settings.SOURCES_RESTRICTED
|
|
)
|
|
if total_count != total_sources:
|
|
add_top_tmp = {"bool": {"should": []}}
|
|
for source_iter in data["source"]:
|
|
add_top_tmp["bool"]["should"].append(
|
|
{"match_phrase": {"src": source_iter}}
|
|
)
|
|
add_top.append(add_top_tmp)
|
|
if "tokens" in data:
|
|
add_top_tmp = {"bool": {"should": []}}
|
|
for token in data["tokens"]:
|
|
add_top_tmp["bool"]["should"].append(
|
|
{"match_phrase": {"tokens": token}}
|
|
)
|
|
add_top.append(add_top_tmp)
|
|
for field, values in data.items():
|
|
if field not in ["source", "index", "tags", "query", "sentiment", "tokens"]:
|
|
for value in values:
|
|
add_top.append({"match": {field: value}})
|
|
# Bypass the check for query and tags membership since we can search by msg, etc
|
|
search_query = self.parse_query(
|
|
data, tags, None, False, add_bool, bypass_check=True
|
|
)
|
|
if rule_object.window is not None:
|
|
range_query = {
|
|
"range": {
|
|
"ts": {
|
|
"gte": f"now-{rule_object.window}",
|
|
"lte": "now",
|
|
}
|
|
}
|
|
}
|
|
add_top.append(range_query)
|
|
self.add_bool(search_query, add_bool)
|
|
self.add_top(search_query, add_top)
|
|
# if "sentiment" in data:
|
|
search_query["aggs"] = {
|
|
"avg_sentiment": {
|
|
"avg": {"field": "sentiment"},
|
|
}
|
|
}
|
|
|
|
return search_query
|
|
|
|
def schedule_query_results_test_sync(self, rule_object):
|
|
"""
|
|
Helper to run a scheduled query test with reduced functionality.
|
|
Sync version for running from Django forms.
|
|
Does not return results.
|
|
"""
|
|
data = rule_object.parsed
|
|
|
|
search_query = self.prepare_schedule_query(rule_object)
|
|
for index in data["index"]:
|
|
if "message" in search_query:
|
|
self.log.error(f"Error parsing test query: {search_query['message']}")
|
|
continue
|
|
response = self.run_query(
|
|
rule_object.user,
|
|
search_query,
|
|
index=index,
|
|
)
|
|
self.log.debug(f"Running scheduled test query on {index}: {search_query}")
|
|
# self.log.debug(f"Response from scheduled query: {response}")
|
|
if isinstance(response, Exception):
|
|
error = response.info["error"]["root_cause"][0]["reason"]
|
|
self.log.error(f"Error running test scheduled search: {error}")
|
|
raise QueryError(error)
|
|
|
|
async def schedule_query_results(self, rule_object):
|
|
"""
|
|
Helper to run a scheduled query with reduced functionality and async.
|
|
"""
|
|
result_map = {}
|
|
data = rule_object.parsed
|
|
|
|
search_query = self.prepare_schedule_query(rule_object)
|
|
|
|
for index in data["index"]:
|
|
if "message" in search_query:
|
|
self.log.error(f"Error parsing query: {search_query['message']}")
|
|
continue
|
|
response = await self.async_run_query(
|
|
rule_object.user,
|
|
search_query,
|
|
index=index,
|
|
)
|
|
self.log.debug(f"Running scheduled query on {index}: {search_query}")
|
|
# self.log.debug(f"Response from scheduled query: {response}")
|
|
if isinstance(response, Exception):
|
|
error = response.info["error"]["root_cause"][0]["reason"]
|
|
self.log.error(f"Error running scheduled search: {error}")
|
|
raise QueryError(error)
|
|
if len(response["hits"]["hits"]) == 0:
|
|
# No results, skip
|
|
result_map[index] = ({}, [])
|
|
continue
|
|
meta, response = self.parse(response, meta=True)
|
|
# print("Parsed response", response)
|
|
if "message" in response:
|
|
self.log.error(f"Error running scheduled search: {response['message']}")
|
|
continue
|
|
result_map[index] = (meta, response)
|
|
|
|
# Average aggregation check
|
|
# Could probably do this in elasticsearch
|
|
result_map = self.schedule_check_aggregations(rule_object, result_map)
|
|
|
|
return result_map
|
|
|
|
def query_results(
|
|
self,
|
|
request,
|
|
query_params,
|
|
size=None,
|
|
annotate=True,
|
|
custom_query=False,
|
|
reverse=False,
|
|
dedup=False,
|
|
dedup_fields=None,
|
|
tags=None,
|
|
):
|
|
add_bool = []
|
|
add_top = []
|
|
add_top_negative = []
|
|
|
|
add_defaults(query_params)
|
|
|
|
# Now, run the helpers for SIQTSRSS/ADR
|
|
# S - Size
|
|
# I - Index
|
|
# Q - Query
|
|
# T - Tags
|
|
# S - Source
|
|
# R - Ranges
|
|
# S - Sort
|
|
# S - Sentiment
|
|
# A - Annotate
|
|
# D - Dedup
|
|
# R - Reverse
|
|
|
|
# S - Size
|
|
if request.user.is_anonymous:
|
|
sizes = settings.MAIN_SIZES_ANON
|
|
else:
|
|
sizes = settings.MAIN_SIZES
|
|
if not size:
|
|
size = parse_size(query_params, sizes)
|
|
if isinstance(size, dict):
|
|
return size
|
|
|
|
rule_object = parse_rule(request.user, query_params)
|
|
if isinstance(rule_object, dict):
|
|
return rule_object
|
|
|
|
if rule_object is not None:
|
|
index = settings.INDEX_RULE_STORAGE
|
|
add_bool.append({"rule_id": str(rule_object.id)})
|
|
else:
|
|
# I - Index
|
|
index = parse_index(request.user, query_params)
|
|
if isinstance(index, dict):
|
|
return index
|
|
|
|
# Q/T - Query/Tags
|
|
search_query = self.parse_query(
|
|
query_params, tags, size, custom_query, add_bool
|
|
)
|
|
# Query should be a dict, so check if it contains message here
|
|
if "message" in search_query:
|
|
return search_query
|
|
|
|
# S - Sources
|
|
sources = parse_source(request.user, query_params)
|
|
if isinstance(sources, dict):
|
|
return sources
|
|
total_count = len(sources)
|
|
# Total is -1 due to the "all" source
|
|
total_sources = (
|
|
len(settings.MAIN_SOURCES) - 1 + len(settings.SOURCES_RESTRICTED)
|
|
)
|
|
|
|
# If the sources the user has access to are equal to all
|
|
# possible sources, then we don't need to add the source
|
|
# filter to the query.
|
|
if total_count != total_sources:
|
|
add_top_tmp = {"bool": {"should": []}}
|
|
for source_iter in sources:
|
|
add_top_tmp["bool"]["should"].append(
|
|
{"match_phrase": {"src": source_iter}}
|
|
)
|
|
if query_params["source"] != "all":
|
|
add_top.append(add_top_tmp)
|
|
|
|
# R - Ranges
|
|
# date_query = False
|
|
from_ts, to_ts = parse_date_time(query_params)
|
|
if from_ts:
|
|
range_query = {
|
|
"range": {
|
|
"ts": {
|
|
"gt": from_ts,
|
|
"lt": to_ts,
|
|
}
|
|
}
|
|
}
|
|
add_top.append(range_query)
|
|
|
|
# S - Sort
|
|
sort = parse_sort(query_params)
|
|
if isinstance(sort, dict):
|
|
return sort
|
|
|
|
if rule_object is not None:
|
|
field = "match_ts"
|
|
else:
|
|
field = "ts"
|
|
if sort:
|
|
# For Druid compatibility
|
|
sort_map = {"ascending": "asc", "descending": "desc"}
|
|
sorting = [
|
|
{
|
|
field: {
|
|
"order": sort_map[sort],
|
|
}
|
|
}
|
|
]
|
|
search_query["sort"] = sorting
|
|
|
|
# S - Sentiment
|
|
sentiment_r = parse_sentiment(query_params)
|
|
if isinstance(sentiment_r, dict):
|
|
return sentiment_r
|
|
if sentiment_r:
|
|
if rule_object is not None:
|
|
sentiment_index = "meta.aggs.avg_sentiment.value"
|
|
else:
|
|
sentiment_index = "sentiment"
|
|
sentiment_method, sentiment = sentiment_r
|
|
range_query_compare = {"range": {sentiment_index: {}}}
|
|
range_query_precise = {
|
|
"match": {
|
|
sentiment_index: None,
|
|
}
|
|
}
|
|
if sentiment_method == "below":
|
|
range_query_compare["range"][sentiment_index]["lt"] = sentiment
|
|
add_top.append(range_query_compare)
|
|
elif sentiment_method == "above":
|
|
range_query_compare["range"][sentiment_index]["gt"] = sentiment
|
|
add_top.append(range_query_compare)
|
|
elif sentiment_method == "exact":
|
|
range_query_precise["match"][sentiment_index] = sentiment
|
|
add_top.append(range_query_precise)
|
|
elif sentiment_method == "nonzero":
|
|
range_query_precise["match"][sentiment_index] = 0
|
|
add_top_negative.append(range_query_precise)
|
|
|
|
# Add in the additional information we already populated
|
|
self.add_bool(search_query, add_bool)
|
|
self.add_top(search_query, add_top)
|
|
self.add_top(search_query, add_top_negative, negative=True)
|
|
|
|
response = self.query(
|
|
request.user,
|
|
search_query,
|
|
index=index,
|
|
)
|
|
if "message" in response:
|
|
return response
|
|
|
|
# A/D/R - Annotate/Dedup/Reverse
|
|
response["object_list"] = self.process_results(
|
|
response["object_list"],
|
|
annotate=annotate,
|
|
dedup=dedup,
|
|
dedup_fields=dedup_fields,
|
|
reverse=reverse,
|
|
)
|
|
|
|
context = response
|
|
return context
|
|
|
|
def query_single_result(self, request, query_params):
|
|
context = self.query_results(request, query_params, size=100)
|
|
|
|
if not context:
|
|
return {"message": "Failed to run query", "message_class": "danger"}
|
|
if "message" in context:
|
|
return context
|
|
dedup_set = {item["nick"] for item in context["object_list"]}
|
|
if dedup_set:
|
|
context["item"] = context["object_list"][0]
|
|
|
|
return context
|
|
|
|
def add_bool(self, search_query, add_bool):
|
|
"""
|
|
Add the specified boolean matches to search query.
|
|
"""
|
|
if not add_bool:
|
|
return
|
|
for item in add_bool:
|
|
search_query["query"]["bool"]["must"].append({"match_phrase": item})
|
|
|
|
def add_top(self, search_query, add_top, negative=False):
|
|
"""
|
|
Merge add_top with the base of the search_query.
|
|
"""
|
|
if not add_top:
|
|
return
|
|
if negative:
|
|
for item in add_top:
|
|
if "must_not" in search_query["query"]["bool"]:
|
|
search_query["query"]["bool"]["must_not"].append(item)
|
|
else:
|
|
search_query["query"]["bool"]["must_not"] = [item]
|
|
else:
|
|
for item in add_top:
|
|
if "query" not in search_query:
|
|
search_query["query"] = {"bool": {"must": []}}
|
|
search_query["query"]["bool"]["must"].append(item)
|